下边再来分享点稍微干货一些的,如何通过Log Analytics来甄别出来一些暴力PJ的攻J,这种攻J无非就是不断用不同密码重试登录,所以只要在Log里识别出来就可以了,Log Analytics就是做这个的,当然,如果有Sentinel的,那可能就更简单了
如果想查到这些Log的话,还是需要先按照通过Log Analytics收集系统日志这里写的把要收集的Log设置好,之后就可以通过query来查询了
比如Linux可以用下边的语句来试试
Syslog
| where SeverityLevel == "info" and ProcessName == "sshd" and SyslogMessage contains "Failed"
| extend TargetUser = extract(@"(.*?)(\S+)(\s+from\s+)(\S+)(.+)", 2, SyslogMessage)
| extend SourceIP = extract(@"(.*?)(\S+)(\s+from\s+)(\S+)(.+)", 4, SyslogMessage)
| where isnotempty(SourceIP) == true and isnotempty(TargetUser) == true
| summarize x=max(TimeGenerated), FailedLogins = count() by Computer, SourceIP, TargetUser
| where FailedLogins >= 15
| join kind= inner (Syslog
| where (SyslogMessage has 'Accepted' and SyslogMessage has 'ssh2') and SyslogMessage !contains "input_userauth"
| extend TargetUser2 = replace(@"(.*?)(\S+)(\s+from\s+)(\S+)(.+)", @"\2", SyslogMessage)
| extend SourceIP2 = replace(@"(.*?)(\S+)(\s+from\s+)(\S+)(.+)", @"\4", SyslogMessage)
| where isnotempty(SourceIP2) == true and isnotempty(TargetUser2) == true
| summarize y=min(TimeGenerated), SuccessfulLogin = count() by Computer, TargetUser2, SourceIP2
| where SuccessfulLogin >= 1) on Computer
| where Computer == Computer1
| where SourceIP == SourceIP2
| where TargetUser == TargetUser2
| where y>x
| extend Hosts=Computer
| extend FQDN=split(Computer,".",0)
| extend Computer=tostring(FQDN[0])
| project Computer,Hosts, SourceIP, TargetUser, x, FailedLogins, y
| project-rename LastFailedLogon = x, SuccessfulLogonAfterFailure = y
| project-rename configurationitem = Computer
如果是Windows,可以试试下边的语句
SecurityEvent
| where EventID == 4624 or EventID == 4625
| extend Outcome = iff(EventID == 4624, "Success", "Failed")
| sort by TimeGenerated asc, Computer asc
| summarize make_list(Outcome) by Computer, TargetUserName
| where list_Outcome contains "Failed" and countof(tostring(list_Outcome),"Failed") >= 11
| extend total_attempt = array_length(list_Outcome)
| extend total_successful_attempt = countof(tostring(list_Outcome),"Success")
| extend total_failed_attempt = countof(tostring(list_Outcome),"Failed")
| extend combination_of_listoutcome= strcat_array(list_Outcome,"")
| where combination_of_listoutcome contains "FailedFailedFailedFailedFailedFailedFailedFailedFailedFailedFailedSuccess"
| project Computer, TargetUserName, total_attempt, total_successful_attempt, total_failed_attempt
| where TargetUserName !contains "$"
Windows的没看到近期有这种log,所以就查不出来结果了
查询出结果之后,还可以设置成alert rule,这样就不需要经常通过手动查询了,有问题了自动告警就OK了,当然任何语句投入生产之前都要先测试再用,有的可能还需要根据实际情况自己修改下,这个就看实际需要了
